Incident response
Microsoft 365
Compromised Account
Fast containment and proper cleanup prevents repeat abuse and protects your organisation from further damage.
Common indicators
- Sign-ins from unfamiliar locations or devices
- Inbox rules or forwarding created without approval
- Users reporting phishing emails "from you"
- Missing, moved, or deleted emails
- MFA prompts the user did not initiate
What I do
- Contain and secure compromised accounts
- Remove malicious rules and persistence
- Review risky sign-ins and authentication gaps
- Apply practical tenant hardening
- Provide documented remediation notes
Immediate response
What to do if your Microsoft 365 account is compromised
If you suspect a Microsoft 365 account has been compromised, taking immediate action can prevent further abuse and limit damage to your organisation.
- Reset the affected user's password and revoke active sessions.
- Review recent sign-ins in Microsoft Entra ID for unusual locations or devices.
- Check mailbox rules for suspicious forwarding or hidden inbox rules.
- Review OAuth applications that may have been granted access to the mailbox.
- Confirm multi-factor authentication is enabled and enforced.
If the compromised account has administrative privileges or phishing emails were sent to contacts, a broader tenant investigation may be required to ensure attackers have not established persistence.